We begin this episode with a quick tour of the Apple antitrust decision that pitted two Trump appointees against each other in a 5-4 decision. Matthew Heiman and I consider the differences in judging styles that produced the split and the role that 25 years of “platform billionaires” may have played in the decision.

Eric Emerson joins us for the first time to talk about the legal fallout from the latest tariff increases on Chinese products. Short version: companies have some short-term tactics to explore (country of origin, drawback, valuation), but large importers/resellers have to grapple with larger and costlier strategies of supply chain diversification and localization.

Meanwhile, China has not been taking the trade war lying down. In addition to its own tariff increases, it seems to be enforcing its demanding cybersecurity law more aggressively against foreign firms. I ask whether we are also seeing retaliation in Chinese courts as well.

In related news, Nick Weaver and I debate the potentially sweeping new Executive Order on Securing the Information and Communications Technology and Services Supply Chain.

Maury Shenk explains the UK Supreme Court ruling that expands the court’s authority over the UK’s intelligence agencies despite clear Parliamentary language to the contrary. Bottom line: Bad news for UK intelligence. Hidden good news for the US: Turns out that there is something worse than activist judges interpreting a written constitution – activist judges who can more or less make up the constitution they want.

It was a cybersecurity disaster week for some of the biggest names in tech. Nick helps me understand which bugs were worst, Cisco’s, Intel’s, or Microsoft’s. Then we review the equally bad week that the NSO Group and its WhatsApp exploit had.

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

With apologies for the late post, Episode 263 of The Cyberlaw Podcast tells the sad tale of another US government leaker who unwisely trusted The Intercept not to compromise its source. As Nick Weaver points out, The Intercept also took forever to actually report on some of the material it received.

The first overt cyberattack on the US electric grid was a bust, I note, but that’s not much comfort.

How many years of being told “I’m washing my hair that night” should tell you you’re not getting anywhere? The FCC probably thought China Mobile should have gotten the hint after eight years of no action on its application to provide US service, but just in case the message didn’t get through, it finally pulled the plug last week.

Delegating to Big Social the policing of terrorist content has a surprising downside, as Nate points out. Sometimes the government or civil society need that data to make a court case.

We touch briefly on Facebook’s FTC woes and whether Sen. Hawley (R-MO) should be using the privacy stick to beat a company he’s mad at for other reasons. I reprise my longstanding view that privacy law is almost entirely about beating companies that you’re mad at for other reasons.

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

When California lawmakers hastily enacted the California Consumer Privacy Act (CCPA) in June 2018, few expected the law — voted on after only a few days’ deliberation — to remain unamended. And, indeed, the law was first amended just a few months later. But that was not the end of the story. In late April, California legislative committees voted on several amendments to CCPA, which takes effect January 1, 2020. Some of these amendments would make the CCPA a bit more business-friendly, while others would make it far more burdensome — and potentially costly — for companies.

This update summarizes these proposed amendments, which, if passed, will be further supplemented by the Attorney General Office’s promulgation of regulations, which are still expected to be issued for public comment by fall 2019. The Office of the Attorney General has been holding town hall meetings throughout California in order to gather input from companies and consumer advocates to help shape these regulations.

Have the Chinese hired American lawyers to vet their cyberespionage tactics – or just someone who cares about opsec? Probably the latter, and if you’re wondering why China would suddenly care about opsec, look no further than Supermicro’s announcement that it will be leaving China after a Bloomberg story claiming that the company’s supply chain was compromised by Chinese actors. Nick Weaver, Joel Brenner, and I doubt the Bloomberg story, but it has cost Supermicro a lot of sales – and even if it isn’t true this time, the scale and insouciance of past Chinese cyberespionage make it inherently believable. Hence the company’s shift to other sources (and, maybe, a new caution on the part of Chinese government hackers).

GDPR and the California Consumer Privacy Act (CCPA) may be the Dumb and Dumber of privacy law, but neither is going away. And for the next six months, California’s legislature will be struggling against a deadline to make sense of the CCPA. Meegan Brooks gives us an overview.

But we in Washington can’t get too smug about California’s deadline-driven dysfunction. Congress also faces a year-end deadline to renew the Section 215 program, and even the executive branch hasn’t decided what it wants. Joel takes us through the program’s history, its snake-bitten implementation, and the possible outcomes in Congress.

This week in Silicon Valley content control: Facebook dropped the link-ban hammer on Louis Farrakhan, Alex Jones, and Milo Yiannopoulos for being “dangerous.” But did it really? Once again, I volunteer to put my Facebook access at risk by testing Facebook’s censorship engine – posting a different Infowars story there every day. Not because I love the conspiracy-mongering Alex Jones but because banning links is a bad idea. (Among other things, you can’t really pile links up and burn them in cinematic pyres at rallies.) But both Facebook and Jones may have a codependent interest in overstating the ban, because as of Day 4 of my experiment, my Facebook account is still alive and well, as are the Infowars links.

The FBI has accused US scientists of sending intellectual property to China, running shadow labs, and (this part really appalls Nick) corrupting the peer review process at NIH. Sadly, Science magazine buys into easy claims that the flap is born of racial bias.

We close the episode with the latest and most shocking facial recognition scandal. It turns out face recognition researchers are chasing down unwilling subjects and restraining them to get the subjects’ pictures – all in service to untried and udderly unreliable technology. All we need to turn this into a major scandal is a public policy entrepreneur willing to work the intersection between the EFF and PETA.

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

On Episode 261, blockchain takes over the podcast again. We dive right into the recent activity from the SEC, namely, the Framework for “Investment Contract” Analysis of Digital Assets and the No-Action Letter issued to TurnKey Jet, Inc. (TurnKey) for a digital token. Gary Goldsholle noted this guidance has been eagerly anticipated since July 2017 when the SEC first applied the Howey Test to a digital token with the DAO report. The current framework focuses primarily on the reasonable expectation of profits and efforts of others prongs of the Howey Test. While the framework lays out a number of factors to consider when determining whether a token is a security, the practicality of those factors is still up for debate.

Will Turner explained that the TurnKey No-Action Letter was most useful for parties interested in structuring a private, permissioned, centralized blockchain, but believes the guidance in the Framework would allow for alternative structures. The key from the SEC’s perspective is that there is no expectation of profits for token holders, since the token is a stablecoin pegged to the value of USD and there is no use of the token outside of TurnKey’s network. Jeff Bandman noted the irony that the first No-Action Letter related to blockchain and cryptocurrency involves private jets, particularly since “Mr. and Ms. 401(k)”—the retail investors SEC Chairman Jay Clayton is focused on protecting—are not likely to become private jet users anytime soon.

Jeff emphasized the importance of network functionality and observed that the network for private jet use was already established. Alan Cohn highlighted this tension between the need for centralization to achieve functionality, and need for decentralization as a means to avoid meeting the “derived from the efforts of others” prong of the Howey Test.

Gary then turned to Blockstack’s Regulation A filing, the most comprehensive effort to register a token under Reg. A that we have seen to date. Blockstack is seeking to be a Tier 2 issuer, meaning they can raise up to $50 million in 12 months, which comes with heightened disclosure obligations and requires audited financials. While they seek to raise capital as a security today, their ultimate goal – and a central risk factor in their offering circular – is to achieve the requisite level of decentralization such that they no longer would meet the definition of a security.

Meanwhile, in Congress, the recently reintroduced Token Taxonomy Act of 2019 would exempt a newly defined category of digital tokens from the definition of a security, as well as provide some clarity on tax issues for cryptocurrency users and exchanges. Jeff observed that these amendments might contribute further to a gap in federal regulation over spot trading markets. While the CFTC has enforcement authority, they do not have the authority to directly supervise the bitcoin trading market.

Turning to the interview, Jeff describes how he co-founded Global Digital Finance (GDF), along with other co-founders in Europe, Asia, and the United States, in order to address the lack of international standards surrounding the blockchain industry – or even a general consensus of terminology. Jeff describes how GDF has a number of working groups focused on developing high-level principles and standards on a range of topics, including stablecoins, custody, tax, and security tokens. GDF is trying to fill in some of the gaps that appear when jurisdictions regulate cryptocurrencies and crypto-assets differently. As an example of its work, GDF’s KYC/AML/CTF group recently commented on FATF’s standards, issuing two comments in October 2018 and April 2019.

Jeff is also in the process of launching a new transfer agent service, Block Agent, focused on enabling and supporting SEC-regulated issuances. As markets mature, it is increasingly important to have the necessary post-trade infrastructure, and he is committed to offering services that recognize the novel features and efficiencies around these new technologies.

For our listeners in the DC area, Steptoe is hosting a half-day complimentary regulatory symposium this Thursday, May 2, in our DC office. Our plenary speakers include current and former commissioners and high-level officials with agencies such as the Federal Energy Regulatory Commission, the Surface Transportation Board, and the Environmental Protection Agency. We will also have breakout panels focused on four separate topics: Deference, Globalization, Regulatory/Legislative Approach, and Preemption. To register, click here.

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

]]>https://www.steptoecyberblog.com/2019/04/29/episode-261-blockchain-takes-over-the-podcast/feed/0Coming Up: Blockchain Takes Over the Podcasthttps://www.steptoecyberblog.com/2019/04/25/coming-up-blockchain-takes-over-the-podcast/
https://www.steptoecyberblog.com/2019/04/25/coming-up-blockchain-takes-over-the-podcast/#respondThu, 25 Apr 2019 20:44:12 +0000https://www.steptoecyberblog.com/?p=3683Continue Reading]]>Next week, blockchain is taking over The Cyberlaw Podcast once again. On April 29, Steptoe partners Alan Cohn, Gary Goldsholle, and Will Turner will reconvene to discuss the latest in blockchain and cryptocurrency regulation. At the top of the list is the suite of updates coming out of the U.S. Securities and Exchange Commission, including the Framework for “Investment Contract” Analysis of Digital Assets and a No-Action Letter regarding TurnKey Jet, Inc. We’ll consider what this means for companies trying to issue tokens and lay out potential permissible token launch models. We’ll also examine two recent filings: (1) Blockstack’s filing for a $50M regulated token offering; and (2) Acra’s filing to issue its shares as digitized securities, Acra UST Coins.

In this episode, Nick Weaver and I discuss new Internet regulations proposed in the UK. He’s mostly okay with its anti-nudge code for kids, but not with requiring proof of age to access adult material. I don’t see the problem; after all, who wouldn’t want to store their passport information with Pornhub?

Sri Lanka’s government has suspended social media access in the wake of the Easter attack. As Matthew Heiman notes, the reaction in the West is more or less a shrug – far different from the universal contempt and rejection displayed toward governments who did much the same during the 2011 Arab Spring rebellions. What made the difference? I argue that it’s Putin’s remarkably successful 2016 social media counterattack on Hilary Clinton as payback for her social media campaign against him in 2011.

Paul Rosenzweig, back from hiatus and feisty as ever, mocks the EU Commission for its on-again, off-again criticism of Kaspersky’s security. Short version: The Commission wants badly to play in cybersecurity because it’s the Hot New Thing, but it has no institutional competence there, in either sense of the word. Speaking of Kaspersky, someone is doing a bad job of trying to compromise its critics with ham-handed private investigator-imposters.

Man bites dog: The Trump Administration is taking interagency processes seriously, and doing a better job than Obama’s team – at least when it comes to use of Cyber Command. Matthew dives into the repeal of PPD-20.

Remember that face recognition software that the NGOs said was so crappy it had to be banned? Now, the New York Times reports that it’s so good it has to be banned. Not so fast, says Microsoft: Our face recognition software is still so crappy that it can’t be sold to law enforcement, and it ought to be export controlled so that China can sell – keep improving – its face recognition tools.

Bet you thought we forgot the Mueller Report. Nope! In fact, I offer the one conclusion about the report that everyone across the political spectrum can agree on. Anti-climactically, Paul and I point out that the report throws sidelights on the “Going Dark” debate and Bitcoin anonymity. Nick points out that we already knew everything the Mueller Report tells us on those topics.

Finally, Nick and I wrangle over the lessons to be drawn from Facebook’s privacy travails.

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

]]>https://www.steptoecyberblog.com/2019/04/22/episode-260-sending-our-passports-to-pornhub/feed/0Companies Are Ready and Willing to Comply with CCPA – But First, They Need to Know Howhttps://www.steptoecyberblog.com/2019/04/16/companies-are-ready-and-willing-to-comply-with-ccpa-but-first-they-need-to-know-how/
https://www.steptoecyberblog.com/2019/04/16/companies-are-ready-and-willing-to-comply-with-ccpa-but-first-they-need-to-know-how/#respondTue, 16 Apr 2019 21:06:56 +0000https://www.steptoecyberblog.com/?p=3671Continue Reading]]>Recently, Meegan Brooks, an associate in our San Francisco office, published an article on the California Consumer Privacy Act. Below is an excerpt. You can read the full article here.

No one disputes the importance of guarding the privacy of consumer information. But the recently enacted California Consumer Privacy Act (CCPA) threatens businesses with potentially crippling liabilities, while also harming consumers who benefit from innovation (including new ways to use data to offer personalized services and product recommendations) and enjoy free services made possible by data collection, processing and usage.

California’s Attorney General and legislature are currently proposing amendments to the law. Their proposals, however, may do little to aid businesses in knowing how to comply with CCPA, and may instead dramatically increase liability risks for non-compliance. Indeed, the amendments currently under consideration appear calculated to please the plaintiff class action bar above all others. The proposed amendments would incentivize private enforcers to sue defendants for annihilating penalties, even where the alleged violations are morally blameless and do not cause actual harm, while also removing the limited mechanisms currently available by which companies can obtain guidance on how to comply.

California’s privacy law should be clarified to promote understanding and compliance, and to limit private remedies by narrowly tailoring them to the culpability of a defendant’s conduct, while also taking into account whether non-compliance has caused any actual monetary loss or data breach.

Maury Shenk notes that the Pentagon’s reported plan to put a bunch of Chinese suppliers on a blacklist is a bit of a tribute to China’s own list of sectors not open to Western companies. In other China news, Matthew discloses that there’s reason to believe that China has finally begun to use all the US personnel data it stole from OPM. I’m so worried it may yet turn my hair pink, at least for SF-86 purposes.

And in a sign that it really is better to be lucky than to be good, Matthew and I muse on how the Trump Administration’s China policy is coinciding with broader economic trends to force US companies to reconsider their reliance on Chinese manufacturing.

We also delve into the Google Sensorvault story. Nick and I agree that law enforcement access to location data, especially under the conditions set by Google, isn’t much of a privacy scandal, at least compared to private access to the same data. But that doesn’t mean it won’t raise endless legal problems for all concerned, partly because asking for a warrant out of the box isn’t quite the right legal or privacy framework.

Pete Jeydel notes two examples of CFIUS’s new toughness: It’s forcing a Russia-linked firm to sell stake in a cybersecurity company, and it has handed out a $1 million fine to a company that blew off its obligations under a mitigation agreement.

Maury covers the German data protection commissioner’s refusal to let German cops store data in the Amazon cloud. The commissioner blames the CLOUD Act and the risk that US authorities may get cross-border access to the data. I flag the commissioner for hypocrisy and ignoring international law. Turns out that the Justice Department has a good new whitepaper out on the CLOUD Act, and it points out that remote access to offshore data has been an implicit part of the Budapest Convention since the ‘90s.

Returning once more to China, Maury and I touch on the Chinese government’s use of AI to find Uighurs in crowds of Han Chinese. In my view, the only thing surprising about this story is that the New York Times thinks we should be surprised by it.

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Our News Roundup leads with the long, slow death of Section 230 immunity. Nick Weaver explains why he thinks social media’s pursuit of engagement has led to a poisonous online environment, and Matthew Heiman replays the astonishing international consensus that Silicon Valley deserves the blame – and the regulation – for all that ails the Internet. The UK is considering holding social media execs liable for “harmful” content on their platforms. Australia has already passed a law to punish social media companies for failure to remove “abhorrent violent material.” And Singapore is happily drafting behind the West, avoiding for once the criticism that its press controls are out of step with the international community. Even Mark Zuckerberg is reading the writing on the wall and asking for regulation. I note that lost in the one-minute hate directed at social media is any notion that other countries shouldn’t be able to tell Americans what they can and can’t read. I also wonder whether the consensus that platforms should be editors will add to conservative doubts about maintaining Section 230 at all – and in the process endanger the US-Mexico-Canada Agreement that would enshrine Section 230 in US treaty obligations.

Nate gives Kaspersky’s lawyers high grades for imagination and effort but not for credibility in their claim that we can trust the company’s software because Russian law doesn’t authorize Putin to intercept its data feeds.

And, with a hat tip to Gus Coldebella for the story, Matthew and I dig into the Washington attorney general’s $12 million settlement with Motel 6 for its cooperation with ICE. We think Motel 6 could have defended on federal preemption grounds and maybe gotten help from the Justice Department. But if the problem was bad publicity, that defense would have just made things worse.

Our interview is with Adam Segal, the Council on Foreign Relations’ expert on all things digital and China. Adam prognosticates on the likely fate of US-China trade talks, data localization in China, and on the future of China’s commercial cyberespionage plans.

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.